Vulnerability identifier: #VU66746
Vulnerability risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-338
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
NodeBB
Web applications /
Forum & blogging software
Vendor: NodeBB
Description
The vulnerability allows a remote attacker to compromise the affected application.
The vulnerability exists due to usage of weak pseudo-random number generator within the utils.generateUUID
function. A remote attacker can use multiple invocations of the password reset functionality to correctly calculate the reset code and take over an arbitrary account on the website.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
NodeBB: 1.0.0 - 2.0.0
External links
http://github.com/NodeBB/NodeBB/security/advisories/GHSA-p4cc-w597-6cpm
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.